A critical vulnerability exists in The CRM Memberships plugin for WordPress, allowing unauthenticated attackers to change the password of any user, including administrators. This flaw can be easily exploited if an attacker knows a user's email address, a piece of information the plugin also exposes, leading to complete account and site compromise. Immediate patching is required to prevent unauthorized access and potential data breaches.

The vulnerability stems from a lack of authentication and authorization on two separate AJAX actions within the plugin. The primary issue is with the ntzcrm_changepassword action, which fails to verify that a password reset request is legitimate. An unauthenticated attacker can send a direct request to this endpoint with a target user's email address and a new password, allowing them to take over the account without any user interaction. This is compounded by a secondary information disclosure vulnerability in the ntzcrm_get_users endpoint, which also lacks authentication and allows an attacker to easily enumerate the email addresses of all subscriber-level users, providing a ready list of targets for the password reset attack.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to achieve full privilege escalation by targeting an administrator account. The business impact is severe and could include complete website compromise, theft of sensitive customer data and personally identifiable information (PII), website defacement, injection of malware or ransomware, and use of the compromised server for further malicious activities. The ease of exploitation and the potential for full administrative access pose a direct and immediate threat to the confidentiality, integrity, and availability of the affected WordPress site and its data.

Immediate Action: Update The CRM Memberships plugin for WordPress to the latest version that addresses this vulnerability (any version after 2.5). After updating, conduct a thorough review of all user accounts, especially administrative ones, for any unauthorized changes or suspicious activity.

Proactive Monitoring: Monitor web server and application access logs for requests to the WordPress admin-ajax.php endpoint containing the vulnerable actions action=ntzcrm_changepassword or action=ntzcrm_get_users. Investigate any such requests originating from untrusted IP addresses. Additionally, monitor for unusual login patterns, unexpected password reset notifications, and the creation of new administrative accounts.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a Web Application Firewall (WAF) to create rules that block requests to the ntzcrm_changepassword and ntzcrm_get_users AJAX actions.
• Temporarily disable The CRM Memberships plugin until it can be safely updated.
• Restrict access to the WordPress login and admin areas (/wp-login.php and /wp-admin/) to trusted IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the high likelihood of active exploitation, we strongly recommend that organizations treat this vulnerability with the highest priority. The remediation plan should be executed immediately to prevent account takeovers and a potential full-site compromise. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics warrant the same level of urgency. After patching, organizations should assume a breach may have occurred and perform a security audit to check for unauthorized user accounts, modified files, or other indicators of compromise.